CVE-2026-54718 Remote code execution via advanced workflow email template

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: High (?)
Identifier:: CVE-2026-54718
Versions Affected:: symbiote/silverstripe-advancedworkflow: < 6.4.5 || >= 7.0.0, < 7.1.3 || >= 7.2.0, < 7.2.1
Versions Fixed:: symbiote/silverstripe-advancedworkflow: 6.4.5, 7.1.3, 7.2.1
Release Date:: 2026-06-24

The advanced workflow email template field is vulnerable to a specially crafted payload that can be used to run arbitrary code on the server.

Base CVSS: 7.2
Reported by: Steve Boyd, Silverstripe Ltd.